An international operation involving the National Crime Agency has taken down one of the biggest online marketplaces selling stolen credentials to criminals worldwide.
As part of the investigation the NCA, working with City of London Police and policing partners across the UK, identified hundreds of UK-based users of the platform. This resulted in 31 warrants being executed yesterday and this morning in coordinated raids by the NCA, Regional Cyber Crime Units and police forces.
The activity, which involved 17 countries and was led by the FBI and Dutch National Police, saw Genesis Market taken offline yesterday, 4 April.
Genesis Market was a go-to service for criminals seeking to defraud victims, having hosted approximately 80 million credentials and digital fingerprints stolen from over two million people.
24 people arrested in connection
24 people were arrested in the UK, including two men, aged 34 and 36, who were detained by the NCA in Grimsby on suspicion of Computer Misuse Act and fraud offences.
UK activity will continue in the form of arrests and preventative action, where many users will be contacted by law enforcement and warned about their potentially criminal activity.
In total, there were around 120 arrests, over 200 searches and close to 100 pieces of preventative activity carried out across the globe.
Rob Jones, NCA Director General NECC and Threat Leadership, said: “Behind every cyber criminal or fraudster is the technical infrastructure that provides them with the tools to execute their attacks and the means to benefit financially from their offending.
“Genesis Market was a prime example of such a service and was one of the most significant platforms on the criminal market. Its removal will be a huge blow to criminals across the globe.
“Targeting this infrastructure is at the core of the NCA’s efforts to disrupt the highest harm offenders and protect the public from those seeking to infiltrate their lives, stealing their identities and their money.”
Financial information sold
Genesis Market traded in digital identities, selling ‘bots’ that contained information harvested from victim devices, which had been infected using malicious attacks.
These indiscriminate attacks were conducted against both members of the public and companies operating in a variety of sectors.
The bots would give criminals access to all the data pertaining to an individual identity, such as cookies, saved logins and autofill form data. This information was collected in real time, meaning the buyers would be notified of any change of passwords etc.
The price per bot would range from as little as $0.70 up to several hundreds of dollars depending on the amount and nature of the stolen data. The most expensive bots would contain financial information, which would allow access to online banking accounts.
Criminals could use this access to steal from victims, either by directly moving money out of an account, or using the credentials to pay for goods and services for their own benefit.
They may also have used the victim account in the process of laundering the profits of other criminal activity – also known as money muling.
Genesis Market was unique in that it provided users with a custom browser, which would mimic that of their victim. This allowed the criminals to essentially masquerade as the victim, making it look like they were accessing their accounts from the usual location and operating system, thus not triggering security measures.
It’s likely that criminals would use information about a victim they had obtained from their various accounts, such as interests, names of friends and family, and personal circumstance, to socially engineer them for further offences.
This process sees a fraudster using the information to build trust with a victim, then manipulating them into handing over money voluntarily, e.g. via romance or investment frauds.
“We are coming after them”
Members of the public can check whether their data has been compromised and accessed by criminals on Genesis Market by visiting https://www.politie.nl/checkyourhack and inputting their email address.
Those who have been affected are encouraged to report this, either to Action Fraud via their online portal, or Police Scotland by calling 101 if you live in Scotland.
The NCA has also collaborated with the National Cyber Security Centre and City of London Police to devise five steps for members of the public to follow in order to protect their devices and online accounts. This can be accessed on the NCA website: https://bit.ly/GenesisMarket.
Rob Jones added: “Cyber crime is a key enabler of the vast majority of fraud, which is now the single largest crime type in the UK, affecting more people than any other.
“It’s therefore extremely important that our response to these two threats is a collaborative effort at both an international and national level.
“Support from ROCUs and forces in this case was key to delivering this collaborative response in the UK and has resulted in us disrupting a significant number of offenders.
“The NCA is attacking criminal infrastructure from all angles and those seeking to use such services should be aware that we are coming after them.”
(Source: NCA)